Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Appendix A. Troubleshooting: General Guidelines

This appendix describes general steps for determining the root cause of a problem, for example by querying logs and service statuses.
Note
For lists of specific problems and their solutions, see Appendix B, Troubleshooting: Solutions to Specific Problems.
What were you doing when you encountered the problem?
If you know which specific area of IdM is causing the problem, follow these links:
If this guide does not help you find and fix the problem and you proceed to file a customer case, include any notable error output that you determined using these troubleshooting procedures in the case report. See also Contacting Red Hat Technical Support.

A.1. Investigating Failures when Executing the ipa Utility

Basic Troubleshooting

  1. Add the --verbose (-v) option to the command. This displays debug information.
  2. Add the -vv option to the command. This displays the JSON response and request.

Advanced Troubleshooting

Figure A.1, “The architecture of executing the ipa cert-show command” shows which components interact when the user uses the IdM command-line utility. Querying these components can help you investigate where the problem occurred and what caused it.
  1. Use the following utilities:
    • host to check the DNS resolution of the IdM server or client
    • ping to check if the IdM server is available
    • iptables to check the current firewall configuration on the IdM server
    • date to check the current time
    • nc to try to connect to the required ports, as listed in Section 2.1.6, “Port Requirements”
    For details on using these utilities, see their man pages.
  2. Set the KRB5_TRACE environment variable to the /dev/stdout file to send trace-logging output to /dev/stdout: 
    $ KRB5_TRACE=/dev/stdout ipa cert-find
    Review the Kerberos key distribution center (KDC) log: /var/log/krb5kdc.log.
  3. Review the Apache error log:
    1. Enable debug level on the server: Open the /etc/ipa/server.conf file, and add the debug=True option to the [global] section.
    2. Restart the httpd service: 
      # systemctl restart httpd.service
    3. Run the command that failed again.
    4. Review the httpd error log on the server: /var/log/httpd/error_log.
    Run the command with the -vvv option to display the HTTP request and response.
  4. Review the Apache access log: /var/log/httpd/access_log.
    Review the logs for the Certificate System component:
    • /var/log/pki/pki-ca-spawn.time_of_installation.log
    • /var/log/pki/pki-tomcat/ca/debug
    • /var/log/pki/pki-tomcat/ca/system
    • /var/log/pki/pki-tomcat/ca/selftests.log
    • Use the # journalctl -u pki-tomcatd@pki-tomcat.service command to review the journal log.
  5. Review the Directory Server access log: /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/access.

Figure A.1. The architecture of executing the ipa cert-show command

The architecture of executing the ipa cert-show command

Related Information